Hacker News new | past | comments | ask | show | jobs | submit login
Tech Companies Fight Back After Years of Being Deluged with Secret FBI Requests (theintercept.com)
263 points by uptown on June 21, 2016 | hide | past | web | favorite | 73 comments

The FBI’s decision to ask companies for everything and let them figure out what they’re required to turn over has had the effect of potentially putting smaller companies with fewer resources at a disadvantage, say national security attorneys. Without expensive legal representation and a familiarity with the law, companies might turn over more content than is necessary.

You'd think the FBI wouldn't be able to just demand all kinds of stuff they have no legal right to.

It's sad that the current state of our legal and political systems allows this sort of tactic to be effective and go unpunished.

Liberal democracies usually operate under the principle that you can ask anything you want of someone, and it's up to them to say "no" if they find it disagreeable. The law is then there to step in when there is a dispute and say which party is right. Even the Bill of Rights depends upon people specifically asserting their rights; if a person voluntarily chooses to incriminate themselves, they've still incriminated themselves, the 5th amendment just states that if the government asks them to bear witness against themself and they refuse to speak, they have done nothing wrong.

While this can lead to unfortunate power imbalances and information asymmetries, it's hard to see how the legal system could operate otherwise. If people were forbidden from asking - who would do the forbidding? What if this is used to prevent contracts that would legitimately be in the best interest of both parties? What if it were used to prevent emerging power centers from challenging the power of the organization that can determine what's legal to ask? How would you even know that such a question has occurred, if one party says "Don't talk about this"?

Probably the best we can hope for is for Congress to pass a law specifically enumerating what electronic records the FBI may request. That seems to be what this article is calling for - consciousness-raising, and public debate. There's plenty of precedent for this, eg. the Miranda rights came from a court case where it was determined that police could not simply assume that a suspect was aware of their constitutional rights, and had to explicitly have them enumerated. But the fact that this needs to be handled on a case-by-case basis is a feature of the legal system, not a bug.

Your reply might be inadvertently equivocating on meanings of "request", although I can see an interpretation where you're right.

Bear in mind that in many government data requests, the government is really demanding or instructing someone to provide the data, in a manner calculated to make the recipient think that complying is not optional and that refusing to comply would be punished.

In other contexts, the courts have at least created suppression remedies when law enforcement agents order people to do things that aren't really legally required. And if you as a private party make an improper legal demand of someone, there could be a legal remedy against you just because of that (although maybe that falls under "[t]he law is then there to step in when there is a dispute").

I think there are also cases where people have maintained civil rights challenges against law enforcement officers who gave improper orders (for example, improperly ordering someone to stop doing something -- like photography!). I would think the legal system could pay attention in a broader range of situations to the difference between law enforcement requesting people consent to something and making people believe that they have no choice.

There's always an alternative to the government demanding something: lawyer up and take it to the courts.

There are very real pragmatic problems regarding the expense and distraction to an organization that may be struggling on the margin of survival anyway, and additional principle-agent problems when this organization is not personally hurt by complying with the FBI's request but is instead acting on a customer's behalf, who will probably never know that the request was made in the first place. But those are the problems that the article is proposing to solve, probably through an organization that serves as a clearinghouse of information and legal assistance to small companies that need to handle customer data but don't necessarily have the resources to fight such a battle themselves.

Even if you take it to court, the statute that authorizes judicial review of NSLs restricts the authority of the judicial branch to engage in judicial review. Instead of being able to strike down NSLs for any reason that a court may determine is unlawful, under the statute courts may only overturn gag orders if the court finds “that there is no reason to believe that disclosure may endanger national security of the United States, interfere with a criminal counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of any person.

So no you cannot always just take it to court. In many cases it may be illegal to do so.

I'm don't think that's an accurate interpretation. Congress can't just add a line to every statute to exempt it from judicial review. Even if they tried, the courts would just ignore it as they have done before.

This would be sustainable iff:

1. The party who did not want to be involved in the situation was considered the defendant (as opposed to the current default-inversion where they likely have to go on the offensive in court).

2. The only outcome from 'losing' such cases was enforcement of the original order, rather than fines and jail for noncompliance with the original ambiguously-fraudulent order.

3. The defendant was given gratis legal representation of their choosing.

4. In the case that a defendant did something that was not required of them due to a misrepresentation by the aggressor, they were automatically and fully compensated for damages (more relevant for individuals vs the police).

Without this, those who are less disincentivized to engage in legal battles (eg those who don't risk jail time for losing, are getting paid a salary, and are funded by public money) will use the complexity of the legal system to bully those who would simply rather not get involved. Since the costs are borne by those who would rather not be involved, the complexity of the legal system will grow without bound - the current de facto requirement for the average person to employ a lawyer to interpret the law is already a violation of "equal protection".

> Liberal democracies usually operate under the principle that you can ask anything you want of someone, and it's up to them to say "no" if they find it disagreeable. The law is then there to step in when there is a dispute and say which party is right.

That is true, but there's a difference between a request and wrapping something in the flag and saying it's a lawful order. A LEO can ask me whatever they want; in some situations it's a lawful order and I go to jail if I don't comply, and in others I can say no. This doesn't mean that a LEO can stop everyone and demand things with no probable cause. With the FBI letters it's even worse because they carry a gag.

It is one thing to ask, quite another to demand and claim that the law is able to compel the other party to comply. Especially materially misrepresenting the law during a demand by a powerful party that should have known better. Do you think we can't distinguish this from a regular request?

They should be required when asking for something to state whether it is a lawful order or a request.

But the real problem is that the government would lie anyway and can't be trusted. It's sad that our "protectors" have become so corrupt and dishonorable.

Oh, also there should be real consequences when agencies are caught lying or being dishonorable. I can dream, right?

The problem with the "lawful order or request" split is that, even if they make it very clear, there's the implicit threat of escalation if you don't agree.

Today you refuse a request. Maybe tomorrow they convince a judge to let them very publicly come to your offices to take the data.

I suspect that fear drives many people and companies to cooperate, even if they understand that there's a choice.

They can convincea judge to do that anyway, if it was a lawful request.


I believe the next step after a request would not be a search warrant, it would be a warrant for the data lawfully requested. A company would not be able to refuse such a lawful request. IANAL though, so what do I know.

Exactly. And when FeeBees "ask" it is, ultimately, at the point of a gun.

> Liberal democracies usually operate under the principle that you can ask anything you want of someone

Except in cases like blackmail, extortion, racketeering... even harassment - you won't get much luck asserting the person you were harassing never bothered to tell you to stop. There is a whole host of behaviors that do not require the victim to mount a defense, because we've identified a power imbalance that might make it infeasible.

I think you're missing the problem with the current situation. It's a matter of incentive, and the fact that the FBI has no incentive to stay within the parameters of the law, no incentive to limit its requests, no incentive to get things "right". When a mere mortal citizen steps outside the bounds of the law, they are swiftly punished, and ignorance is no excuse. When anointed government officials overstep the boundary, it's no big deal because quite often, there's just no mechanism to punish them for it. But there needs to be such a punishment, otherwise trust in the system erodes rapidly.

The dilemma you posed is a false one. There is plenty of nuance inbetween the two extremes - "Don't let the FBI ask" and "The FBI can ask about anything and it's your job to figure out if it's legal or not". Possible recourse could require a pattern of abuse, determination of gross negligence, the punishment could be contextualized - mistakes leading to fines in favor of the citizen, while gross abuse leading to criminal charges. There's plenty of room for discussion of the specifics of such a system, but it must exist, and also the public must see it applied effectively in cases of extreme abuse.

I think your comparison of "you can ask anything of someone" ignores the reality of the relationship between two private citizens, and a private citizen and the government. The government expects trust, demands obedience and respect, but you cannot have any of those if it will also bend the rules it is supposed to be following, lie and cheat its citizens out of their rights. Even if staying within the marginal bounds of the law, this creates an adversarial relationship between citizens and the government, and breeds animosity and contempt. I believe there is a middle ground to be found between the government being paralyzed to act due to fear of making mistakes, and citizens living in distrust and fear of the government, which is supposed to serve them.

This "feature" of the legal system, where the weak are trampled because they do not have the power to assert their rights, makes it rotten to the core. Ask any CDL what the outcome of this "feature" is, for the poor, the uneducated, the ignorant, for minorities and for the weak. The law does not need to protect the strong - they already have the power to do so themselves. If a legal system fails to protect those weak in society from abuse, then it is at best pointless, and at worse, just another tool for those in power to subjugate the rest.

> the fact that the FBI has no incentive to stay within the parameters of the law

The FBI isn't operating outside the parameters of the law. If they ask you for a piece of information that you are not legally required to hand over you can still choose to hand it over voluntarily.

I think the point is that the law should be refined so that if they ask you for something they should make it clear what you are legally required to handover and what they are asking nicely for. Then punish officiors or departments that mislead.

It seems like they're basically lying to people about their own legal powers and the person's legal obligations. Don't you find that troubling?

and the cost of compliance, and to business, individual freedoms and trust in government is compromised in the process

Great level-headed response! It sounds like there could be an interesting side project for someone—a mini-site that explains each of the things the FBI is allowed to request via each type of request. Or even sponsored by the EFF.

Seems like a case of imbalanced consequences.

If a company doesn't properly comply with a request, the company and some of its workers could quite possibly face criminal consequences. If the FBI's request is eventually found out to be invalid, very little of consequence will happen to the Bureau and even less to the employees.

Unfortunately, this imbalance isn't unique to the FBI or even law enforcement. Even most government regulatory agencies seem to enjoy a presumption of acting in good faith which gets the agency, and even more crucially the employees, out of trouble when they overstep.

You'd think the FBI wouldn't be able to just demand all kinds of stuff they have no legal right to.

Paying some respect to established history for a moment, I-personally speaking-am not shocked at all. This sort of clandestine activity is how the FBI was born.

Yeah, I realize they have a very long history of this sort of behavior (pioneered by J. Edgar Hoover).

I suppose what I was trying to imply was that the FBI was born of these tactics, emboldened by Hooover, condoned by the courts until they-the bureau-grew to such a size that (combined with McCarthyist politicking and language waged over nebulous concepts like "terrorism" and "drugs") that this is just a par 3 course for them.

It doesn't make these things right of course, but I can't feign apoplectic over it either. You should expect better, but those expectations should be tempered just a bit. I don't think any amount of coverage or outrage is going to make a dent in this problem as long as the system the FBI operates in refuses to keep itself in check.

It is this that is a huge part of how I react negatively to the recent issue where Facebook has suddenly decided to push heavily on me to install a Facebook Messenger Android app on my phone.

You know: the functionality that already worked, that was already a cleanly solved problem in their mobile web app. But yet with a native Android app the store says they "need" to access my camera, my microphone, my GPS, all my contacts, all my photos, videos, my file system, my phone, my wifi interface, etc etc. Because... you know. Just trust us. In order for me to type in a short ASCII text message and hit ENTER and have that delivered to another person. A problem solved with much less code, and much less permissions, both in SMS, email, Usenet, etc, for the prior 30+ years.

I glance over to Shirer's Rise & Fall on my bookshelf, for a second or two, before falling asleep tonight.

"Trust us." - 1932 Germany/Europe is calling

> You'd think the FBI wouldn't be able to just demand all kinds of stuff they have no legal right to.

The police are entitled to ask for cooperation from people to help with investigations. If there is a crime in my neighborhood, should police be banned from asking me about what I saw just because they can't compel me to do so?

And if you set the boundary for what police "may ask for" == to what police may "compel you to provide" don't you think that'll lead to undesirable growth in the latter?

What they are doing is the equivalent of demanding that people help with the investigation and threatening them with legal consequences if they don't.

The fact is that even if a police officer doesn't have the right to arrest you for refusing to comply, they can absolutely threaten to do so and as a matter of fact if they choose to cuff and detain you that is what will happen regardless of your legal rights regarding any information you might have.

How about a nice compromise where if the person asks whether they have to comply to a request, the government has to respond truthfully? As far as I know, there are no such requirements.

IMO they should be allowed to ask for whatever they want, but they must also clarify if it is a lawful order or a request.

Then it is up to the requestee to decide whether or not to comply. That is the whole point of living in a democracy and not a police state, correct? Also that is the actual law.

Tricking people into doing more than required by law is fraud in my opinion.

Leading people to forfeit their rights, to motivate them to offer more information than they are legally required to provide, is a long-standing law enforcement strategy.


One not-perfect trick: Stop retaining sensitive information. There is nothing in law that forces you to do retain things like IP addresses.


Then they can harass you for data all the time with illegal shit "court" orders and you can give them garbage and they can do nothing about it.

This is the best method I've seen for dealing with this problem on a budget. Unfortunately the tradeoff is losing a lot of not-especially-effective tools for dealing with spammers and the like.

Relevant: Bruce Schneier's "Data is a toxic asset", https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...

You may want to learn about how Lavabit was shutdown.

Lavabit's shutdown revealed the flaw in its premise. That encryption-at-rest was good enough for email security (while using a single TLS key for all in-flight data). Turns out it's not. Only end-to-end encryption—with keys only held by the end-users—can provide that. As despicable as FBI's actions in that case may be, they did the public a service by showing Lavabit's security proposition to be less than what users may have assumed.

EDIT: Nothing I wrote above detracts from your point, though. Re-enforces it, in fact. Lavabit held little or no data, which caused the FBI to escalate to the nuclear give-us-your-master-key option.

As far as IP address goes, you could store a cryptographic hash of the IP, rather than the IP itself. That would prevent you from, say, identifying entire subnets used by spammers, but would be better than nothing.

You'd just need to do the hashing with some kind of tamperproof keystore that exploded when the FBI fiddled with it.

This wouldn't work without some really bizarre implementation that would make it less of a hash and more of a cipher. The range of potential values is too small and highly structured, generating a rainbow table would be braindead simple.

> ...tamperproof keystore that exploded...

So not one way hashes then?

Generating a salt and tossing it into scrypt would break any rainbow table attempts, but it's still only 4,294,967,296 or so addresses for v4. It's pretty hard for a small government to do it, but I wouldn't put it past the NSA.

This is how we've implemented IP address retention at Neocities, BTW: https://github.com/neocities/neocities/commit/4983a9b24eac00...

Step two is to throw them away after x amount of time. It's not perfect, but there you go. The best way is still to throw them away from the beginning, but we do need them for spammers and the like.

Subtract 588 million reserved IPs, as well as 2 from each subnet (0 and 255). There are also a lot of blocks that are publicly routable but see no use on the internet. If I were to build a rainbow table, I'd start with blocks assigned to ISPs, then throw in the results of publicly available distributed internet surveys, only then would I start the algorithmic address generation. Same story for IPv6. I really don't think it is a state actor level problem, but if it is it won't be for long.

Right, no I agree, except that the rainbow table won't work if you used a salt. You'll need to brute force it for that particular salt value.

Still quite doable, if you have the right resources at hand. As you pointed out, it's less than the entire IPv4 space too.

Ha ha, excellent point until we have ipv6. Less late nights for me.

That's a really interesting point actually. A hash of IPv6 would essentially be technically infeasible to brute force if fed through something like scrypt. But it wouldn't be exactly 128 bit random, since they could do a search based on the addresses allocated. I'd need to know the size of that potential pool to know how hard that would be, but if it's already in the dozens of billions, it's pretty difficult.

Regularly changed salts?

If the reason for holding IPs is to be able to, say, mitigate network abuse, then a salt or other addition which is only available for a brief period would prevent being able to test a long-term datastore for a given IP.

The rsync.net warrant canary is 10 years old this year.


You must have very boring customers.

Just curious, why is a latest newpaper headline part of a warrant canary?

The idea with a canary is that some government request can stop you from disclosing that request ("hey everyone we got subpoena'd") but they can't stop you from NOT updating a page. Putting a newspaper headline on the page basically provides a timestamp so anyone checking can go "hey, their canary hasn't been updated in 6 months... maybe something happened". At least that's my understanding of it.

Would a date not suffice?

You can't put the headline in there before it's been published, whereas you can put any date you like.

I wonder if companies could just invoice the FBI for document processing or administrative fees. Just follow the FOIA fee structure. Or, charge a whole lot.

You can't make the NSL public, but it's not like you're complying with a warrant or something that would be immune from fees.

Of course the government will refuse to pay, so you sue. Presumably you could subpoena the emails around the NSL without disclosing the NSL. "We need to get this information from $tech_company", $tech_company provided the information. pay me.

The FBI et al issue NSL's without a court order and on their own prerogative correct?

In that case the FBI can get a warrant like the constitution they swore to uphold demands of them.

I'm tired of people bending over backwards for unconstitutional poppycock like warrant-less surveillance. It's a fundamental part of the supreme law of the land, the constitution!

A more-detailed exposition on the topic: https://www.emptywheel.net/2016/06/21/key-details-about-the-...

> The FBI’s decision to ask companies for everything and let them figure out what they’re required to turn over has had the effect of potentially putting smaller companies with fewer resources at a disadvantage, say national security attorneys. Without expensive legal representation and a familiarity with the law, companies might turn over more content than is necessary.

Tech companies should jst turn over more than they're required. If they demand info on 5 users, send 10K gzipped blend of fake & real users and random images from imgur.

It's fun to speculate on things like this but when in the shoes of a small company faced with that request, without the clout of places like Apple and Google, I would not want to piss off the FBI.

Who's the FBI?

grep <user> filename

I think the FBI could work out how to do it.

well they would probabky have to cat every file because they would all be md5 hashstrings ;)

It works for FOIA

The prevailing strategy if FOIA requests now seems to be sprinkle some 'personal' information in with the rest and then you get to pick and choose what to release. So it's kind of the reverse of this.

Eh, column A and column B. I'm convinced that the only reason this happens is because of bad wording in FOIA requests, combined with a lack of pushback after rejections or missing/redacted information.

A great way to get around that prevailing strategy is to simply chain requests - particularly since "unduly burdensome" is such a popular rejection. For example, I've been after the Chicago mayor's communication records and a recent request for communication records of three companies was rejected for being "unduly burdensome". My response to that is to request their DNS resolution logs and the domains/times/from of sent email. I honestly don't actually care that much about the DNS logs - the information is (mostly) just for finding significantly narrower windows for when communication is likely to have happened. Having an exact time for an email will get rid of their claims of burden.

It still makes me chuckle that their obstinance only makes me request more, and each time it results in more information than I was originally seeking.

If done right, FOIA is a lot more useful than you might think.

So basically:

"Can I get the mail.log for $date1 through $date2"

"no that would be too much work"

"is cat {ls -R /var/|grep *.log} |emailthistome.txt easy enough"

"sure here you go"

Pretty close! The bigger problem is actually vetting the data for privacy concerns. The original foia request included some code to run a whois on each domain. Not a privacy concern since it's "just" metadata ;)

They also claimed that the burden wasn't worth the public interest, so I pasted in some unsolicited HN comments from folks supporting my work.

I find out tomorrow if it worked.

Government systems are subject to FOIA requests and thus should not contain any data that is considered 'private'. A sane law would tell them "too bad, so sad, it's public now"

I completely agree and fought pretty hard towards that, but the court eventually agreed with the state/city.

Excerpt from the court docs of my suit: Additionally, the Illinois Attorney General's Office Public Access Counselor ("PAC") has established that City-issued cell phone numbers are exempt from disclosure pursuant to 5 ILLS 140/7(1)(c), because the disclosure of these numbers would constitute a clearly unwarranted invasion of personal privacy. As the PAC reasoned, certain City employees are issued cell phones so they may be on call during non-work hours or while away from their offices. Disclosure of these numbers could subject staff to excessive phone calls from the public at all times of day. Further, if staff were forced to turn off their cell phones to reduce such intrusion, they may not be readily available to attend to the business of the public body, defeating the purpose of issuing them cell phones. (See 2010 PAC 8685, issued September 30, 2010, attached hereto as Ex. B.)

Thus, the only phone numbers which are not exempt under FOIA are those that are publically listed and are not home telephone numbers, personal telephone numbers, or work-issued cell phone numbers. In other words, FOIA only compels the production of listed numbers belonging to businesses, governmental agencies and other entities, and only those numbers which are not work-issued cell phones.

That said, this isn't stopping me from continuing aggressive requests that will eventually get me similar information. I know of a way of getting the information they say I couldn't have, while maintaining it as 'public'. need to think through some small details first, though. Don't want to mention it online, though. ;)

It would be curious to know if given the choice of supporting mass surveillance or not being able to use services and products from brands like Apple, Google, Microsoft, Wikipedia, etc. - what consumers would choose.

If they'd opt to use those brands, seems like the answer to change maybe very simple.

I feel like the public has already implicitly chosen convenience over privacy and freedom.

IMO it is up to us techies to come up with a private and open system that offers the same conveniences without the privacy problems.

The perfect system to me would support:

- distributed (p2p) to avoid isolated silos and censorship

- Tor-style privacy

- encryption

- multi-user database support to allow dynamic sites (ie users have access to store their own posts/data on a site), not just static pages

- distributed torrent-style downloading and streaming of large files

- some kind of bitcoin payment system for people mirroring sites?

Zeronet combined with Tor is very interesting to me, although currently it doesn't support large file chunking or payment-for-storage.

IPFS is good but doesn't have the privacy or multi-user database support.

Freenet comes close, no database or torrent iirc though. Or dynamic sites(to my knowledge).

It also seemed very complicated to put your own sites up on Freenet. Seems like it's pretty easy for an individual to put something up on IPFS or Zeronet.

“Had the FBI put a reasonable position on the table … five years ago they probably would’ve got that through,” Gidari argues. “They’re their own worst enemy on this stuff.”

At this point, I honestly fail to see why the FBI is allowed to continue existing. They seem antithetical to a democratic society.

Just playing devils advocate but...

Aren't the FBI the good guys going about catching criminals and terrorists? So aren't we morally obliged to help rather than stamp our feet and say no and then publish a blog post about how we are fighting back against the tyranny of law enforcement. FFS.

Do you think that government agencies are beyond reproach and should not be held accountable for their actions?

Unfortunately the FBI has a long history of activities clearly contrary to the public good.

The (incorrect) concept of the world consisting of good and bad guys whilst dangerous and leading to flawed reasoning about society (of which this post is an excellent example) is fascinating. I'd be really interested in how it became so prevalent in US society.

Is the President a good guy that we are obliged to follow? I think you have it backwards. The FBI derives it's power from the people it serves.

It is in all our interests to have healthy functioning governments that serve their communities well. (Is there any other role of a government?) That happens through discussion and debate, not through doing whatever they tell us to do.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact